Re: [tsugi] APEI Vulnerabilities - Need Assistance

[Chuck Severance]

Alex,

You can’t send to the tsugi-dev list until you join it.

https://groups.google.com/a/apereo.org/g/tsugi-dev

The answer to your question is “yes”.  In the config.php for Tsugi, you can set this variable:

$CFG->staticroot = 'https://www.dr-chuck.net/tsugi-static';

This can be any URL you like.  The default is https://static.tsugi.org/js/ if you don’t set it.

If you visit

https://static.tsugi.org/

It tells you where the git repo for this is located:

https://github.com/tsugiproject/tsugi-static

You just check this out into whatever hosting or CDN you want and point your Tsugi instances at your URL instead of the Tsugi wide URL.

When I do development and might need to adjust tsugi-static - I just check it out into my local web server as a peer to my tsugi site and use something like:

 $CFG->staticroot = $CFG->wwwroot . '/../tsugi-static';  // Relative

You could serve it from the same server as your application - but I recommend using a CDN to serve the static to save a lot of load on your main server.  If you do a domain lookup on static.tsugi.org - it is on a heavily cached (and free) world-wide CloudFalre CDN - it is why this default path can be hit by every Tsugi instance on every page view around the world and still be very quick.  I have not measured the bandwidth savings but I would expect it would be of 90% savings in bandwidth and server load.

Hope this helps.

/Chuck

On Aug 1, 2025, at 7:06 AM, Alexander, Denny <DAlex...@apei.com> wrote:

Hi Team,

I got an undeliverable for tsug...@apereo.org hence writing to your larger mailbox to get some assistance from APEI.

Please look into this and assist or point us to the right contacts who can review and assist.

Thanks and Regards

Denny Alexander  Technical Leader – Intelligent Infrastructure Services  9880012227  Shaping positive change

---

From: Alexander, Denny <DAlex...@apei.com>
Sent: Friday, August 1, 2025 4:30 PM
To: tsug...@apereo.org <tsug...@apereo.org>; VengipuramThiruvoimozhi, Ramanujan <RThiruv...@apei.com>; Tungana, Ramana <RTun...@apei.com>
Cc: Hampanakuppe Vishwanatha, Harshitha <H...@apei.com>; Chavada, Chintan <CCha...@apei.com>; Sinha, Avinash <ASi...@apei.com>; Sukumaran, Ajai <ASuku...@apus.edu>
Subject: APEI Vulnerabilities - Need Assistance

 

Hello Tsugi Team,

We are currently using a PHP application that integrates the Tsugi framework and makes use of the native static JavaScript files hosted at:

https://static.tsugi.org/js/

As part of our ongoing security and compliance efforts, we are reviewing the use of third-party static assets, particularly JavaScript libraries, and aiming to ensure they are up to date with the latest versions and free from known vulnerabilities.

We would like to know:

1. Are there alternative ways to obtain these JS files from a version-controlled or self-hosted source (e.g., via NPM or a GitHub release)?
2. Do you have a recommended upgrade path or versioning strategy for these static files?
3. Is it safe and supported to self-host updated versions of these JS libraries, or does Tsugi depend on specific versions tied to framework compatibility?

Your guidance on how best to approach this in a secure and maintainable way would be greatly appreciated.

@Tungana, Ramana is your point of contact, and we can setup a call to review this together.

Thank you for your support.

Denny Alexander Technical Leader – Intelligent Infrastructure Services 9880012227 Shaping positive change